Ask / Submit
1

SFOS and EFAIL

asked 2018-05-16 07:25:06 +0300

4carlos gravatar image

Simple question : what about with SFOS and Email, vulnerable?

edit retag flag offensive close delete

Comments

where do you see pdp in sfos ?

pawel ( 2018-05-16 07:53:49 +0300 )edit
1

Right, not now. But in the future with functional (business) upgrades in sfos 2.2 - 3.x?

4carlos ( 2018-05-16 08:06:20 +0300 )edit

1 Answer

Sort by » oldest newest most voted
2

answered 2018-05-16 16:22:44 +0300

ghling gravatar image

I'm not aware that SFOS would currently support PGP encrypted files. So no, there is no vulnerability here affecting SFOS. There may be third party apps for mail encryption. If you are using one of those, please check with the developer(s) of the app to see if the app displays mail as HTML and loads external resources by default (because this is the attack vector described by efail).

edit flag offensive delete publish link more

Comments

2

Encrypting files with PGP is fine. PGP itself has no vulnerability. So using e.g. gnupg for signing files is fine. It is certain email clients or plugins that are vulnerable when decrypting encrypted emails. Besides, encrypted, pure text email is fine. Encrypted html emails are vulnerable.

johanh ( 2018-05-16 21:34:26 +0300 )edit

The vulnerability comes from that the standard doesn't mandate integrity checks of the encrypted data. An attacker can add HTML code to the content that, when parsed, for example triggers loading of remote content (if allowed by the email client). In those requests decrypted content can be exfiltrated. Software that (currently against the standard) refuses to decrypt the contents if integrity checks are missing or failing is presumably safe. I assume that anybody that adds support for encryption to the email client in Sailfish OS is aware of this vulnerability and makes sure that integrity checks are required when loading emails. See more for example at eff.org and The Mozilla Thunderbird Blog.

luen ( 2018-05-17 00:42:38 +0300 )edit
Login/Signup to Answer

Question tools

Follow
1 follower

Stats

Asked: 2018-05-16 07:25:06 +0300

Seen: 410 times

Last updated: May 16